I know the are other questions similar to this one, but I haven't found one that is the same.

Here's the thing: I've successfully configured a web app in SharePoint to authenticate using ADFS. When I open the people picker, I can see my claims provider and the claim (Email Address). The problem is that I can search anything and the people picker will tell me that whatever I look for belongs to the claim provider.

For example: I have a user named steve.harris and the email steve.harris@mail.com. When I search in the people picker for 'steve', It will appear as if 'steve' was the e-mail. And I can even search for 'foo' and grant it permissions and people picker won't complain about 'foo' not existing anywhere.

As Paul says in his excellent video, once you enable claims in SharePoint, the People Picker is really a "claims expression editor"(tm), so when you type in the email address and select the email claim on left, you're telling SharePoint to let anyone in who has a email claim matching that string. It's quite a different concept then user/group selecting in NTLM, but still uses the same GUI.
–
Bret FisherApr 9 '12 at 4:04